A brief history of the cyber insurance market
Cyber insurance emerged in response to the 1990s dot-com bubble. It initially focused on US data protection exposures but evolved to address the global regulatory environment and fill other gaps in traditional insurance, such as business interruption caused by computer system outages. Cyber insurance was perceived as an opportunity for premium revenue growth where competition kept prices low and the appetite for innovation high.
With hindsight, some insurers were too keen to enter the market and did not appreciate the risks. Their scrutiny of IT controls was cursory. Unfortunately, from the point of view of the insurance buyer, that situation could not last, particularly after a spate of costly cyber incidents. Consequently, over the last 2-3 years, premiums have been rising exponentially, with insurers becoming more selective.
Airline-specific issues
The airline sector offers specific challenges. Personal data record count (one of the chief determinants of cost), including payment card information, can be exceptionally high and the multinational nature of passengers complicates the regulatory and liability exposure.
Airlines can incur high business interruption losses (and passenger compensation) very quickly after an outage of either the airline’s own systems or those of a third-party provider. Well-publicised outages have led to flight cancellations and delays. Moreover, airlines are particularly reliant on third party IT partners, some of which (e.g. Global Distribution Systems providers) provide similar services to many other airlines, potentially aggregating insurers’ exposure.
In addition, as a critical component of national infrastructure, airlines can be high profile targets for hacktivists, extortionists and state-sponsored cyberattacks, and can be subject in some countries to new regulatory exposures (e.g. EU’s Network and Information Systems Directive).
A time for readjustment
Whilst this may seem disconcerting, realistically, premiums were unsustainably low and needed to rise to reflect insurers’ risks thus allowing them to remain in the market. Self-insured retentions have increased, and insurers require additional information around cyber security controls, especially in the context of ransomware vulnerabilities. Where insurers feel that certain minimum cybersecurity standards have not been met, they are declining to offer terms.
This creates an opportunity for airlines to work with their brokers to better present their cyber security profile. Insurers have made it clear what they are looking for and there is capacity to support well-managed risks that are presented positively. It is vital for airlines to ensure that insurers understand their IT environment: while an airline might not implement an IT control that is ordinarily a minimum requirement, explaining what mitigating controls are in place can overcome insurers’ objections.
The best advice is not to rush to market but to ensure that you can present your cybersecurity in the best light. Cyber insurers have developed a better understanding of the risk and how they are expected to respond in the event of a claim. That should be viewed as a positive.
John Rooley
CEO Global Aerospace
